It appears that the Waledac authors have decided the share the “love” theme has worn itself out, and have updated the website template to a new theme I have titled the “Couponizer”. This new theme is right inline with the “sharing” social engineering trickery we have grown to expect from malware authors. This theme offers to share with you the unsuspecting website visitor money saving coupons that can only be found by downloading and installing their binary, which is really the Waledac Trojan. So instead of them sharing money saving coupons, the end user ends up sharing their bandwidth with the Waledac authors to aid in distributing more of these money saving spam emails and other spamming campaigns. All of this of course in done free of charge to the compromised host, unless your paying for bandwidth under a pay per usage format. Ouch, if you are having to use one of these outdated plans as I can only hope those types plans have long disappeared for your normal residential service connections. Imagine your phone bill if Waledac could infect your handheld device and utilize minutes on your wireless data plan. Not a pretty picture if you ask me.
The Waledac binary changes fairly often to avoid Antivirus Detection and modify the seeded IP addresses hard coded into the binary. There are normally 30 hard coded IP addresses within the Waledac binary, which are used to establish the initial communication with other infected nodes on the botnet. Once this initial communication within the botnet occurs a larger list of IP addresses is exchanged in a HTTP P2P fashion to ensure reliable connectivity to other botnet nodes even when multiple infected nodes go offline or are cleaned up.
Now that I have collected quite a bit of data for the Waledac botnet, I thought it would be interesting to see if I could visualize this data in a meaningful way. Visualizing data has really taken off in the last few years especially when looking at network flows and it can reveal some really interesting characteristics that may not be all that apparent when data is presented in tabular format or with charts. All of the graphs or visualizations I am posting today were generated using a combination of the Afterglow.pl script and the Graphviz command line tools. Another note these graphs generated were extremely large in file size, so I took JPG snapshots of these graphs and placed them in this post to aid in page loading speeds. The more detailed graphs are linked via the images to PDF files that can be downloaded to zoom in for a more detailed view.